The computer on which you are installing AD RMS must be a member server in a domain, or it must be a domain controller. You cannot deploy AD RMS on a server that is part of a workgroup.
If you are installing AD RMS on a domain controller, you must add the AD RMS service account to the Domain Admins group. We do not recommend adding the AD RMS service account to the Enterprise Admins group.
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.
|To install the AD RMS Server Role|
Log on to the server on which you want to install AD RMS.
Open Server Manager. Click Start, point to Administrative Tools, and then click Server Manager.
In the Roles Summary box, click Add Roles.
Read the Before You Begin section, and then click Next.
On the Select Server Roles page, select the Active Directory Rights Management Services box.
The Role Services page appears informing you of the AD RMS dependent role services and features. Make sure that Web Server (IIS), Windows Process Activation Service (WPAS), and Message Queuing are listed, and then click Add Required Role Services. Click Next.
Read the AD RMS introduction page, and then click Next.
On the Select Role Services page, verify that the Active Directory Rights Management Server check box is selected, and then click Next.
Select the Create a new AD RMS cluster option, and then click Next.
Select the Use a different database server option, and then click Select.
If you choose to use the Windows Internal database to host the AD RMS databases for a single-server installation, steps 11 and 12 are not required.
Type the name of the computer that will be hosting AD RMS databases, and then click OK.
In Database Instance, choose the appropriate instance, click Validate, and then click Next.
On the Specify Service Account page, click Specify, type the domain user account and password that should be used as the AD RMS service account, click OK, and then click Next.
Ensure that the Use AD RMS centrally managed key storage option is selected, and then click Next.
If you choose to protect the AD RMS cluster key by using a cryptographic storage provider, step 15 is not required.
Type a strong password in the Password box and in the Confirm password box, and then click Next.
Choose the Web site where the AD RMS Web services will be installed, and then click Next. In a default installation, the name of the Web site should be Default Web Site.
As a best security practice, the AD RMS cluster should be provisioned by using an SSL-encrypted connection. Select the Use an SSL-encrypted connection (https://) option.
Type the fully-qualified domain name of the AD RMS cluster in the Internal Address box, and then click Validate. If you want to change the default port on which AD RMS communicates, you can do that on this page of the wizard as well. If validation succeeds, the Next button will become active. Click Next.
Select the Choose an existing certificate for SSL encryption option, click the appropriate certificate or click Import to import the certificate, and then click Next.
Self-signed certificates should only be used for test environments. In a production environment, we strongly recommend using an SSL certificate issued from a certification authority, such as Verisign Inc.
Type a name that will help you identify the AD RMS cluster in the Friendly name box, and then click Next.
Ensure that the Register the AD RMS service connection point now option is selected, and then click Next to register the AD RMS service connection point (SCP) in Active Directory Domain Services (AD DS).
In order to register the AD RMS SCP, you must be logged on to the AD RMS server with a user account with write access to the Services container in AD DS.
Read the Introduction to Web Server (IIS) page and then click Next.
Click Next again, leaving the Web server defaults.
Click Install to provision AD RMS on the computer. It can take up to 60 minutes to complete the installation.
Log off from the server, and then log back on to update the permissions granted to the logged on user account. The user account that is logged on when the AD RMS server role is provisioned is automatically made a member of the AD RMS Enterprise Administrators group. A user must be a member of that group to administer AD RMS.